Op-Ed: Oracle is letting the side down for desktop users

With accusations that Oracle ignored warnings of the 0day exploit months ago, are the Java stewards doing enough to keep SE users safe?

“Disable
Java NOW,” screamed a
headline on UK tech publication The Register. “Please, for the
love of your computer disable Java on your browser,” a security
expert was
quoted saying on Ars Technica.

We can imagine better publicity for the platform. When Java is
being
described as less secure than Flash or Acrobat, you’ve got a
serious image problem brewing.

Tuesday’s
zero-day exploit only affects SE users running 1.7, and – at
least for now – only on Windows, but it’s far from the first time
Java has been in the news for security holes. Among them is
Flashback, the worst piece of malware ever seen on OS X, used
an exploit in Java that had failed to be patched in the Mac
version.

Zero-day exploits will always be found in any platform or system,
no matter how ‘secure’ it is. The trick is to react as quickly – or
faster than – anyone with nasty intentions. Unfortunately, with
Java’s four-month security patch release schedule, this zero-day
exploit won’t be patched for another two months.

If that wasn’t bad enough, Java SE has yet to get silent updates,
as initially popularised by Chrome and since adopted by Firefox and
even
Flash Player. On Windows, Java still requires the user to
respond to an annoying pop-up alert and then bother to go through a
whole install wizard each time. We haven’t seen any adoption stats,
but we doubt the majority of users are running the latest, most
secure versions.

Silent updates may be somewhat divisive, but perhaps they’re
necessary when it comes to security issues like this. And, after
all, power users and developers aware of the differences between
versions can choose to manually update instead.

Of course, that seems like a moot point in the context of
accusations that Oracle have
known about these vulnerabilities for months. The press went
from bad to worse today, as the same security firm claimed that
they had reported 29 different security flaws since April – but
only three of these were fixed by the June patch.

“Although we stay in touch with Oracle and the communication
process has been quite flawless so far, we don’t know why Oracle
left so many serious bugs for the Oct. CPU,” a member of the firm
told CIO. Oracle declined to provide a comment to JAXenter
on any of the accusations.

The importance of Java in the browser may be diminishing rapidly,
but it’s still part of the brand. If end users feel they can’t
place their trust in Java, how long until this uncertainty spreads
to the enterprise world?

If Java truly is “one platform”, that platform needs to be equally
secure everywhere.